According to researchers from Group-IB CERT, the campaign—tracked under the threat actor name PHISLES—has remained persistent and effective for over two years. Their analysis revealed that attackers distributed more than 900 malicious links, impersonating at least three major Philippine banks. Moreover, over 400 victims were confirmed between January 2024 and January 2026, with the campaign still ongoing.
Typically, attackers initiate the scam by sending emails that appear legitimate. These messages warn users about suspicious account activity or unauthorized login attempts. Consequently, recipients feel pressured to act quickly and click on embedded links. Once they land on fake banking pages, they unknowingly enter their usernames, passwords, and OTPs.
Immediately after capturing this information, attackers exploit it in real time. Victims have reported that funds disappear within minutes, highlighting how efficiently the campaign bypasses multi-factor authentication safeguards.
What makes this campaign particularly dangerous is its use of compromised email accounts. Instead of spoofed addresses, attackers send phishing emails from real accounts obtained through combolists—large databases of stolen credentials traded on underground forums and Telegram channels. This tactic significantly increases trust and helps emails evade traditional spam filters.
Use of Trusted Platforms to Evade Detection
Furthermore, attackers have refined their delivery techniques. Since mid-2025, they stopped embedding direct phishing links in emails. Instead, they route victims through chains of legitimate platforms, making malicious links appear safe.
For instance, attackers use Google Business Profile links to exploit the trust associated with Google domains. They also wrap phishing URLs inside Google AMP CDN links, making them appear as secure Google-hosted pages. Additionally, URL shorteners like loom.ly and shorturl.at conceal malicious destinations behind clean-looking links.
At the same time, attackers utilize Google Cloud Workstations to create temporary redirect links with valid SSL certificates. Similarly, Cloudflare domains such as workers.dev and pages.dev provide HTTPS protection and allow attackers to generate new subdomains quickly, ensuring continuity even after takedowns.
Perhaps most concerning, attackers compromised a legitimate Philippine educational institution’s domain. By creating hidden subdomains with valid SSL certificates, they redirected traffic to malicious servers without affecting the institution’s normal operations.
Preventive Measures
To stay protected, users should carefully verify URLs before entering credentials and avoid clicking on urgent or suspicious links. Additionally, using unique passwords and enabling multi-factor authentication can significantly reduce risk.
Meanwhile, financial institutions must actively alert customers about ongoing scams. Security teams should monitor unusual traffic patterns and unauthorized domain activity. Educational organizations, on the other hand, should enforce strict domain security measures, including MFA and regular DNS audits.
Overall, this campaign demonstrates how cybercriminals continue to evolve, using trusted platforms to bypass defenses and execute highly effective financial fraud.
Recommended Cyber Technology News:
- Zcash Privacy Platform Launched via Z Protocol & Core Deal
- Halcyon and HYCU Expand Cloud Security Against Attacks
- Platform Science Launches Trust Portal to Enhance Fleet Security Transparency
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
